Web pages have, over the years, grown more complex. Currently, it is not uncommon for a web page to embed content from a variety of different sources, such as one or more advertisements served from an ad server, portions of content served from other sources, and/or links to social media services.
A common way in which such content is embedded into a web page is through the use of an iFrame. An iFrame is an HTML element that defines an inline frame in a document that may be used to embed another document, such as a web page, image, advertisement, and the like, into that document. To illustrate how an iFrame may be used, consider FIG. 1, which is a block diagram of a web page according to the prior art. Web page 10 includes three separate embedded documents. These three embedded documents reside within the bounded areas defined by iFrames 20, 22, and 24.
As an iFrame may be used to embed content from any source into a web page, iFrames 20, 22, and 24 may be used to display content from different sources. For example, iFrame 20 may be used to display an advertisement served from an ad server, iFrame 22 may embed a web page served from the same domain as web page 10, and iFrame 24 may embed a web page served from a different domain than which served web page 10.
Any data, such as content embedded into a web page, that originates from an untrusted source has the potential to carry malicious code. Thus, any content embedded within web page 10 that originates from outside the trusted domain that hosts web page 10 may contain code that can be used to hijack or otherwise alter the parent web page in an unauthorized manner. Because of this concern, an administrator of a web site may not allow web site 10 to embed any content from an external source. While this may be a good rule of thumb, it is naïve to think all web sites would adhere to this practice. Additionally, there may be instances when the administrator of a web site wishes a web site to link to or embed content originating from an untrusted source, as the perceived benefits of doing so might outweigh the perceived risks.
Given the semantics of the web, it is not always possible for someone using a web browser to determine when a portion of a web page is referencing content from a different domain than which served the web page. This introduces an unwelcome element of risk anytime a user ventures out on the World Wide Web. As a result, new approaches for addressing the security risks posed by content embedded within a web page are desirable.